Password Strength Checker
Crypto & SecurityTest password strength with entropy score, crack-time estimate, and breach check. Free, private — all processing in your browser.
The Password Strength Checker analyzes any password and rates it on multiple dimensions: bits of entropy (mathematical unpredictability), estimated crack time against modern GPU attacks, match against common password lists (the most-used passwords that attackers try first), and pattern detection (sequential characters, repeated letters, keyboard walks like qwerty). Unlike simple "length check + has uppercase" tools, this uses zxcvbn — a real password strength estimator built by Dropbox, analyzing against 30,000+ common passwords, common names, dates, keyboard patterns, and leet-speak substitutions.
Password strength matters because most account compromises come from reused or weak passwords cracked in bulk after database breaches. An 8-character password with mixed case and digits sounds secure — but top password-cracking rigs can try billions per second on leaked hashes. The checker tells you: "your password would be cracked in 12 minutes" — not "weak" vs "strong". It also flags if your password matches a known breach from Have I Been Pwned (via k-anonymity API — only the first 5 chars of the hash are sent, so the password itself stays private). This tool runs entirely in your browser for passwords you enter; breach checks use k-anonymity so the full password never leaves your device.
Password Strength Checker — key features
Entropy calculation
Bits of entropy based on password length and alphabet size. Also shows what this means in crack time for various hash algorithms.
zxcvbn pattern detection
Detects dictionary words, names, dates, keyboard patterns, leet speak, repeats. Gives a realistic score 0-4.
Crack time estimate
Against modern GPU rigs. Not just weak/strong — says specifically: 12 minutes, 50 years, etc.
Breach database check
Uses Have I Been Pwned API via k-anonymity. Tells you if your password has appeared in any known data breach.
Specific feedback
Points to the exact weakness: your password uses the word password, contains a common date, or uses a keyboard sequence.
Improvement suggestions
Actionable tips: add 3 more characters, avoid common patterns, etc.
Local computation
Strength analysis runs entirely in your browser. The password you type never leaves your device (except the k-anonymous breach hash).
Works for passphrases
Properly scores long passphrases correctly — 6-word Diceware passphrases get high scores, not penalized for dictionary words when in combination.
How to use the Password Strength Checker
- 1
Type or paste your password
Input is masked by default (dots). Click eye icon to reveal. Password never submitted or uploaded.
- 2
Read the strength score
0 (very weak) to 4 (very strong) with color coding. Also shows entropy in bits and estimated crack time.
- 3
Check for breach matches
If the password appears in a known breach, you will see the number of times it has been leaked publicly. Any breach match = change immediately.
- 4
Review feedback
Specific weaknesses detected: dictionary words, common patterns, date sequences. Each comes with an explanation.
- 5
Apply improvements
Suggestions for stronger variant: longer, random, no patterns. Use our [Password Generator](https://tooleras.com/tools/password-generator) for random replacement.
Common use cases for the Password Strength Checker
Personal security
- →Check your most important passwords: Email, banking, crypto, identity-proof accounts — the ones where a breach is catastrophic. Verify each is strong and not breached.
- →Audit old passwords: Passwords you set years ago may have been leaked since. Check every critical account password against breach data.
- →Teach password hygiene to family: Show kids, parents, partners what weak looks like. Visual feedback (instantly shows crack time) is more convincing than abstract rules.
- →Verify new password before saving: Before committing a newly-chosen password to your password manager, verify strength here.
Corporate security
- →Verify compliance with policy: Before bulk-importing users or setting service account passwords, test each against your policy.
- →Audit service account credentials: Machine-to-machine auth, shared credentials — often weaker than user passwords. Audit them.
- →Pre-launch check for apps: Before launching a new app with admin passwords, check the master credentials are strong.
- →Train employees on password strength: Use the checker in security awareness training. Visual evidence persuades better than lectures.
Development
- →Verify password policy enforcement: Test edge cases — can users set Password123 if your validator rejects weak? Test actual rejection strength.
- →Choose master passwords: For password managers, disk encryption, SSH keys — the master passwords you MUST remember. Verify strength before committing.
- →Test auth system integrations: When integrating with auth providers, use test passwords with known strength to verify system behavior.
Education
- →Learn what makes passwords weak: Try your current password, then try modifying it, see how strength changes. Understand entropy.
- →Compare approaches: Random 12 chars vs passphrase. Type both, compare. See for yourself which wins.
- →Teach security basics: For coding bootcamps, security courses — the tool is an interactive way to learn password security.
Password Strength Checker — examples
Very weak password
Common dictionary word.
password
Score: 0 (very weak) Entropy: 2 bits (with dictionary) Crack time: < 1 second Reason: #1 most common password in breach lists. Action: change immediately.
Typical bad password
Common pattern with year.
Summer2024!
Score: 1 (still weak) Entropy: 18 bits (with pattern recognition) Crack time: 2 minutes Reason: seasonal word + year + bang. Attackers try this pattern first. Action: abandon pattern, use random.
Weak despite complexity
Leet speak on dictionary.
P@ssw0rd1
Score: 0 (very weak) zxcvbn detects leet substitution. The password is still "password" to an attacker with knowledge of common substitutions. Crack time: < 1 second.
Decent random
Short but random.
k7mP3xQ9
Score: 2 (fair) Entropy: 48 bits Crack time: 2 hours on GPU Should be longer for high-value accounts. 12+ chars recommended.
Strong random
Long random from password manager.
xK7#nP9$wE3@vR2m
Score: 4 (very strong) Entropy: 105 bits Crack time: 5 billion years Excellent. Keep it in your password manager.
Strong passphrase
Memorable but secure.
correct-horse-battery-staple
Score: 4 (very strong) Entropy: 131 bits (Diceware-style) Crack time: essentially infinite Memorable AND secure — ideal for master passwords.
Breached password
Appeared in a data breach.
MyAwesomePass123!
⚠ BREACH MATCH This password appears 42 times in known data breaches. Change immediately even if never reused.
Technical details
Password strength is measured in bits of entropy — the logarithm (base 2) of the number of possible passwords an attacker must try to be guaranteed to crack yours.
Entropy formula:
``
entropy = length × log2(alphabet_size)
Examples:
| Password | Length | Alphabet | Entropy | Crack time (GPU) |
|---|---|---|---|---|
| 12345 | 5 | 10 (digits) | 16.6 bits | < 1 second |
| password | 8 | 26 (lowercase) | 37.6 bits | < 1 second (in dictionary) |
| Password1 | 9 | 62 (mixed case + digits) | 53.6 bits | ~ 2 hours (but in common list) |
| k7#mP3!xQ | 9 | 94 (all printable) | 59.0 bits | ~ 6 hours |
| k7#mP3!xQvR9@ | 13 | 94 | 85.2 bits | ~ 500 years |
| correct-horse-battery-staple | 28 | 26 | 131.6 bits | ~ 10^20 years |
But entropy alone is misleading:
A password with high theoretical entropy but in a common password list is actually weak. Attackers try common passwords first. Summer2024! has decent entropy by formula (~62 bits) but is weak in practice — attackers try seasonal patterns + year + special character.
zxcvbn algorithm:
zxcvbn goes beyond entropy formula:
1. Dictionary match — check against 30,000+ most common passwords.
2. Name match — check against common first/last names.
3. Year match — 1900-2050 are common (birthdays, graduation years).
4. Repeat pattern — aaa, 121212, abcabc.
5. Sequence — abc, 123, qwerty (keyboard walks).
6. L33t speak — substitute @ for a, 3 for e, ! for i.
7. Date pattern — 1/1/2000, 01012000, jan2000.
Score from 0 (very weak) to 4 (very strong):
- 0: too guessable, crackable in < 10^3 attempts
- 1: very guessable, < 10^6 attempts
- 2: somewhat guessable, < 10^8 attempts (online attacks maybe OK, offline NO)
- 3: safely unguessable, < 10^10 attempts (offline attacks slowed)
- 4: very unguessable, > 10^10 attempts (offline attacks impractical)
Modern crack speeds (2026 GPU rig):
- NTLM hash: ~ 1 trillion attempts/sec
- MD5: ~ 200 billion attempts/sec
- SHA-256: ~ 50 billion attempts/sec
- bcrypt (properly configured): ~ 100,000 attempts/sec — why you should use bcrypt for password storage
Breach checking (Have I Been Pwned):
Pwned Passwords API uses k-anonymity. Process:
1. Your browser computes SHA-1 of the password.
2. Sends only the first 5 chars of the hash (e.g., 5BAA6).
3. API returns all SHA-1 hashes starting with those 5 chars, plus breach counts.
4. Your browser matches the full hash locally.
The full password never leaves your device. Safe to use.
NIST password guidelines (SP 800-63B):
- Minimum 8 characters, allow up to 64+
- Permit all printable characters including spaces
- DO NOT require forced complexity (uppercase + symbol + digit)
- DO NOT force periodic rotation
- DO check against breach databases (like Have I Been Pwned)
- DO rate-limit login attempts
Common problems and solutions
⚠Score 4 does not mean invincible
Score 4 means resistant to normal brute force and dictionary attacks. Targeted attacks (someone who knows your life) or future quantum computers may still eventually crack. Use 2FA for all important accounts regardless of password strength.
⚠Strength meter on the site does not check breaches
Most websites only check pattern/length, not breach databases. A password can pass the site rules but still be in a breach list. Always check against Have I Been Pwned for important passwords.
⚠Complexity rules make passwords weaker
Requirements like must contain uppercase + digit + symbol push users toward predictable patterns (Password1!). NIST 800-63B explicitly discourages these rules. Length is more important than complexity.
⚠Reusing a strong password is still weak
Even a 4-of-4 password becomes weak the moment it is shared across accounts. One breach compromises all. Every account needs a unique password. Use a password manager.
⚠Passphrase with common phrase
Famous quotes or song lyrics are in attacker wordlists. Romeo loves Juliet is not secure. Use random word combinations (Diceware) not quotes.
⚠Master password for password manager
This is the password you MUST remember — too short, you lose it; too complex, you cannot type it. 6-word passphrase is the sweet spot. Back up with physical recovery codes.
⚠Writing down passwords
Use a password manager (1Password, Bitwarden). A sticky note in plain view of your monitor is worse than any password. A paper in a locked drawer is OK as a backup for critical accounts.
⚠Strength checker false sense of security
A strong password is one layer. Add 2FA (YubiKey, Authy, SMS), enable breach alerts, use account recovery options. Password alone is never enough in 2026.
Password Strength Checker — comparisons and alternatives
zxcvbn vs simple length check: Simple meters say Password1! is strong (8+ chars, mixed case, digit, symbol). zxcvbn knows it is in the common password list and rates it weak. zxcvbn is realistic; simple meters are optimistic.
Pattern detection vs pure entropy: Pure entropy formula says 131b2o3r4i5n6g is high entropy (14 chars, mixed). But it is a predictable pattern (boring with numbers between letters). Pattern detection catches this; pure entropy does not.
Strength checker vs Password Generator: Checker evaluates existing passwords. Generator creates new ones. Use together: generate a random password, check its strength, use it. See our Password Generator.
zxcvbn vs NIST password rules: zxcvbn is a technical measurement. NIST provides human-usable guidelines (8+ chars, check breaches, no forced rotation). Both inform good password practice.
Local check vs online breach check: This tool does both. Local strength analysis (zxcvbn) — purely in your browser. Breach check — uses k-anonymity so only first 5 chars of hash sent. Your password never fully leaves your device.
Password vs Passphrase vs Passkey: Password is a short random string. Passphrase is a longer memorable sequence of words. Passkey is a cryptographic key (WebAuthn) that replaces passwords entirely. Use passkeys where supported (increasingly common); otherwise passphrases for master passwords, random passwords for accounts.
Frequently asked questions about the Password Strength Checker
▶What makes a password strong?
Three factors: (1) Length — 12+ characters minimum, 16+ recommended, 20+ for critical accounts. (2) Randomness — generated by a CSPRNG, not chosen by a human. (3) Uniqueness — never reused across accounts. Character complexity (mixed case, symbols) matters less than length for random passwords. Pattern detection is more important than complexity rules.
▶What does zxcvbn do?
zxcvbn is a password strength estimator from Dropbox that goes beyond simple rules. It checks against 30,000+ common passwords, common names, dates, keyboard patterns, l33t speak substitutions, and date patterns. Scores realistically — a password like Password1 scores 0 even though it meets typical complexity rules.
▶What is password entropy?
Bits of unpredictability. Mathematical measure: log2(number_of_possible_passwords). A 12-character random alphanumeric password has ~71 bits. Higher entropy = more attacker work to crack. 64+ bits is generally considered adequate; 100+ bits is very strong; 128+ bits is resistant to nation-state attacks.
▶Is my password sent to the breach database?
No, not fully. The tool uses k-anonymity: it computes SHA-1 of your password locally, sends only the first 5 characters of the hash. The API returns all hashes starting with those 5 chars. Your browser then matches locally. Your full password never leaves your device.
▶Why does Password1! score poorly?
It is in the attackers wordlist. zxcvbn knows the specific pattern: common word + digit + symbol. Attackers try this pattern early when cracking leaked databases. Despite meeting typical complexity rules, it is crackable in seconds.
▶What is the estimated crack time based on?
A GPU rig with ~100 billion attempts per second (typical for MD5) or ~1 trillion for NTLM/unsalted SHA-1. Modern password hashing (bcrypt, argon2, scrypt) is MUCH slower — properly configured bcrypt allows only ~100,000 attempts/sec. The tool uses the faster attack assumption as worst case.
▶Should I worry about quantum computing?
Not yet for passwords. Quantum computers threaten some cryptographic schemes (RSA, ECC), but standard password hashing is relatively resistant. Grover algorithm halves effective password entropy — a 128-bit password becomes 64-bit effective. Still unbreakable for reasonable lengths. Longer passwords future-proof against quantum.
▶What about biometrics (fingerprint, face)?
Biometrics are usernames, not passwords. Your fingerprint is not secret (you leave fingerprints everywhere). Biometrics unlock a device or access a stored credential. The underlying credential (key in your device secure enclave) is the real authenticator. Biometrics are convenient, not a password replacement.
▶Can I check multiple passwords at once?
This tool handles one at a time (for safety — multiple inputs might reveal password reuse patterns). For bulk auditing, use the HIBP Pwned Passwords API directly with scripts.
▶What if my password is strong but I reuse it?
Not strong in practice. The moment one site with your strong password is breached, attackers try the same password on every other service. Even a perfect password becomes useless when reused. Always unique per account, stored in a password manager.
Additional resources
- zxcvbn — Dropbox password strength estimator used by this tool.
- Have I Been Pwned — Breach database and Pwned Passwords API.
- NIST SP 800-63B — US government password policy guidelines.
- Password Hashing Competition — Competition that selected Argon2 as winner (2015).
- XKCD Password Strength — The famous correct-horse-battery-staple comic explaining passphrase strength.
Related tools
All Crypto & SecurityBcrypt Hash Generator
Hash passwords with bcrypt and verify existing hashes — configurable rounds
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-512 hashes for text and files
HMAC Generator
Generate HMAC signatures (SHA-256, SHA-512) for API auth and webhook verification
JWT Decoder
Decode and inspect JSON Web Token (JWT) headers, payloads, and signatures
JWT Generator
Create signed JSON Web Tokens (JWT) with custom claims — HS256, RS256, ES256
Password Generator
Generate strong, cryptographically secure random passwords
Learn more
Explore more tools
200+ free tools that run in your browser.
Browse all tools →